Guest Blog: Jon Burg is the Head of Product Marketing at AppsFlyer. Jon is a seasoned marketer with 10 years experience in communications, customer experience and product innovation. As the founder of the social marketing capability at Digitas, Jon led social marketing and product strategy for a number of Fortune 500 brands.

AppsFlyer, founded in 2011, is a SaaS mobile marketing analytics and attribution platform, based out of Herzliya, Israel.

Mobile fraud is a real and growing issue. As billions of dollars have poured into the mobile marketing ecosystem, fraudsters have upped their game, finding ever more advanced ways to tap into this lucrative market. Since 2011, the team at AppsFlyer has helped mobile marketers detect, prevent and actively fight mobile fraud. Over the years, as the scale and sophistication of mobile fraud has grown, we have worked hand-in-hand with advertisers and partners across the industry to address this challenge.

Today’s mobile fraud takes many forms and demands a multi-layered approach to fraud protection, detection and prevention. In order to best understand mobile fraud and how AppsFlyer is doing something about it, we must take a step back and understand the economics that drive mobile fraud.

Click Fraud Fraudulent clicks offer fraudsters a number of lucrative opportunities. In addition to tapping into CPC-based media, click fraud offers a more reliable way to capture or hijack app installs — and this type of fraud happens in a number of ways. Traditionally click fraudsters reported impressions as clicks, used bots to simulate clicks or forced clicks (e.g. hiding the X on an intrusive ad).

Another similar tactic is click-flooding/spamming. In click spamming/flooding, the network sends massive numbers of click-reports from historical IDFAs on file, hoping to hit a few actual installs and gain the lucrative CPI payout. In another common scenario, the network reports thousands of clicks across dozens of click-urls for each legitimate click. Because this is based on actual user activity, they believe it will be harder to detect and address. More recently, we have seen advanced fraudsters using malware to hijack devices. This malware identifies when a click or install occurs and sends a fraudulent click shortly after the last click, or during the install process – thereby ensuring that the install is attributed to the fraudster.

Install Fraud There are many types of install fraud. Basic install frauds relies on bots to simulate app installs or repeatedly install, uninstall and reinstall apps – often in easily detectable patterns. More advanced install fraudsters use actual mobile devices to download apps at scale, creating fraud that is far harder to detect. Many fraudsters will also enable Limit Ad Tracking features on these devices (which gives anonymizes their Device ID – e.g. IDFA) or hide behind VPNs (masking their IP address) to try to prevent detection. Ironically, hiding behind a VPN often makes fraud easier to identify – as many anti-fraud solutions block these IP addresses. However, smarter fraudsters have found many route around IP-blacklisting.

Lastly, many fraudsters are engaging in IDFA/GAID reset marathons, resetting these key identifiers between fraudulent installs. This is a tactic has proven surprisingly effective, as it relies on real installs occurring on real devices and with the right setup, can even appear to come from real IP addresses. Device ID reset marathons are becoming increasingly popular, and we are seeing this fraud pop-up on installs around the globe.

Engagement and Purchase Fraud As advertisers increasingly shift to CPA-based media, fraudsters have developed a number of ways to perpetrate engagement and install fraud. The most basic approach relies on pre-programmed bots that follow a specific engagement pattern (which is also easily identified), trying to improve their retention and engagement rates. Others attempt man-in-the-middle attacks and retransmission fraud, sending simulated and retransmitted in-app events, ad view events and even purchase events in an attempt to inflate their retention and engagement rates. In some cases, fraudsters insert malicious code onto mobile devices (e.g. via apps downloaded from untrustworthy third-party app stores), or employ a click farm to generate seemingly legitimate in-app events and revenue activity. By inflating their in-app engagement, revenue and retention, fraudsters attempt to tap into lucrative CPA and ROI based media.

The AppsFlyer Active Fraud Suite

Advertisers using AppsFlyer enjoy both proactive fraud prevention that blocks fraud as it occurs, as well as the option to gain active insights into fraudulent and suspicious activity. Though we cannot reveal the full scope of our solutions in public, below are some insights into how AppsFlyer helps’s solutions the preferred choice for the world’s most advanced mobile marketers tackle the issue of mobile fraud.

The AppsFlyer Active Fraud Suite uses a proprietary combination of multiple layers of technology to address each type of mobile fraud, blocking known fraud at its’ source and detecting likely-fraud for further follow-up. At the start, it’s important to understand the role that big data (massive databases) play in fraud protection. The more data you have, the larger the pool of insights you can build. At AppsFlyer, our technology runs on 98% of all smartphones in the world, generating nearly half a trillion monthly tracked events. This secure, anonymized database serves as the backbone against which our anti-fraud solutions are developed and optimized.

Active Fraud Protection As we have said earlier, when you think about mobile fraud protection, think layers. At AppsFlyer, our solutions start with real-time filtering that blocks blacklisted IP addresses, user agents and device IDs (based on DeviceRankTM).

These analyses are often useful proactively blocking bot and malware driven fraud. In one case we identified an identical install and engagement pattern across advertisers and ad networks that always came from a handful of sub-publishers (Site IDs). This was clearly fraudulent activity and was automatically blocked. Our machine learning algorithms continuously monitor for these abnormalities, always updating and learning to deliver best-in-class protection against the newest fraud schemes.

We also utilize a number of verification and authentication solutions to address fraud. Install validation on iOS and purchase validation across both iOS and Android are helpful in blocking simulated installs and purchase events. Similarly, our secure, post-compilation SDKs use secure verification mechanisms to authenticate genuine installations and in-app events, helping to prevent of man-in-the-middle attacks and retransmission fraud.

DeviceRankTM

Last year we took our fraud protection a step further with the addition of DeviceRankTM, the industry’s first device-level mobile fraud protection. DeviceRankTM is a proprietary, advanced scoring system that rates device IDs based on an anonymized, install and engagement metadata profile. Based on over a dozen install and engagement metadata points, devices are ranked on a scale from C (known fraud) to AAA (strongly legitimate profile). DeviceRankTM scores are automatically updated with each new engagement, helping to automatically remove known malicious devices.

Internal benchmarks have shown that when used in combination with the above mentioned anti-fraud techniques, DeviceRankTM delivers 3x – 12x stronger protection than industry standard solutions.

Active Fraud Insights In parallel with the launch of DeviceRankTM, we released Active Fraud Insights. Active Fraud Insights (AFI) is a dynamic dashboard that provides advertisers with unparalleled, comprehensive fraud reporting. With AFI, advertisers can track which media sources, geos and even SiteIDs (sub-publishers) are sending installs from fraudulent and highly-suspicious devices. With reporting covering both the total number of installs as well as the percentage of total installs in each category, advertisers can take timely, corrective action based on not only where we have already blocked fraud, but where they are likely vulnerable.

But that’s not all. Active Fraud Insights also reports installs by media sources, geos or SiteIDs from devices with Limit Ad Tracking (LAT) enabled as well as “new” devices (device IDs not previously logged in AppsFlyer’s database). In a few recent examples, large advertisers discovered nearly a million dollars in fraud from click-farms that evaded all detection by hiding behind Limit Ad Tracking enabled-devices or deviceID reset marathons. These “real” installs occurred on real devices and came from real people, but occurred in such high concentrations that there was clearly fraud. Further research revealed specific SiteIDs with very high concentrations of LAT and new devices, indicating the presence of a few bad actors in an otherwise clean campaign. The only conclusive way to address this type of fraud is to use big-data driven, device-based fraud insights.

To round it out, we recently added the even more data to the Active Fraud Insights dashboards, providing advertisers with direct access to their click to install time distribution and new device install distribution patterns. Like all other elements of the AFI dashboard, marketers can easily filter or group their data to dive deeper into their performance.

The Bottom Line Mobile fraud is a game of cat and mouse. As fraudsters have increased their scale and advanced their techniques, it is time for the industry to adapt as well. While not every region, OS and vertical are equally impacted, mobile fraud is ever present and part of our new reality. Today’s serious mobile marketers cannot afford to rely on simplistic, dated solutions. Smart mobile marketers are taking big-data based, multi-layered solutions to actively block fraud at its’ source and take identify likely fraudsters that have learned to evade detection.